From ee2d263223b3c35c94386a5a6fafb839d2a9e98a Mon Sep 17 00:00:00 2001 From: Chris R Date: Fri, 11 Sep 2015 16:03:40 -0700 Subject: [PATCH] #434 Remove the nonce cache. --- .../OpenIdConnectHandler.cs | 37 +------------------ .../OpenIdConnectMiddleware.cs | 9 ----- .../OpenIdConnectOptions.cs | 14 ------- .../project.json | 1 - 4 files changed, 2 insertions(+), 59 deletions(-) diff --git a/src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectHandler.cs b/src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectHandler.cs index f88d7f27e3..182f8d1aee 100644 --- a/src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectHandler.cs +++ b/src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectHandler.cs @@ -16,7 +16,6 @@ using System.Threading.Tasks; using Microsoft.AspNet.Http; using Microsoft.AspNet.Http.Authentication; using Microsoft.AspNet.Http.Features.Authentication; -using Microsoft.Framework.Caching.Distributed; using Microsoft.Framework.Internal; using Microsoft.Framework.Logging; using Microsoft.IdentityModel.Protocols.OpenIdConnect; @@ -203,23 +202,7 @@ namespace Microsoft.AspNet.Authentication.OpenIdConnect if (Options.ProtocolValidator.RequireNonce) { message.Nonce = Options.ProtocolValidator.GenerateNonce(); - if (Options.CacheNonces) - { - if (await Options.NonceCache.GetAsync(message.Nonce) != null) - { - Logger.LogError(Resources.OIDCH_0033_NonceAlreadyExists, message.Nonce); - throw new OpenIdConnectProtocolException(string.Format(CultureInfo.InvariantCulture, Resources.OIDCH_0033_NonceAlreadyExists, message.Nonce)); - } - - await Options.NonceCache.SetAsync(message.Nonce, new byte[0], new DistributedCacheEntryOptions - { - AbsoluteExpirationRelativeToNow = Options.ProtocolValidator.NonceLifetime - }); - } - else - { - WriteNonceCookie(message.Nonce); - } + WriteNonceCookie(message.Nonce); } GenerateCorrelationId(properties); @@ -1021,23 +1004,7 @@ namespace Microsoft.AspNet.Authentication.OpenIdConnect string nonce = jwt?.Payload.Nonce; if (!string.IsNullOrEmpty(nonce)) { - if (Options.CacheNonces) - { - if (await Options.NonceCache.GetAsync(nonce) != null) - { - await Options.NonceCache.RemoveAsync(nonce); - } - else - { - // If the nonce cannot be removed, it was - // already used and MUST be rejected. - nonce = null; - } - } - else - { - nonce = ReadNonceCookie(nonce); - } + nonce = ReadNonceCookie(nonce); } var protocolValidationContext = new OpenIdConnectProtocolValidationContext diff --git a/src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectMiddleware.cs b/src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectMiddleware.cs index 667ecf0615..76819648ff 100644 --- a/src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectMiddleware.cs +++ b/src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectMiddleware.cs @@ -8,8 +8,6 @@ using System.Text; using Microsoft.AspNet.Builder; using Microsoft.AspNet.DataProtection; using Microsoft.AspNet.Http; -using Microsoft.Framework.Caching.Distributed; -using Microsoft.Framework.DependencyInjection; using Microsoft.Framework.Internal; using Microsoft.Framework.Logging; using Microsoft.Framework.OptionsModel; @@ -129,13 +127,6 @@ namespace Microsoft.AspNet.Authentication.OpenIdConnect Options.ConfigurationManager = new ConfigurationManager(Options.MetadataAddress, new OpenIdConnectConfigurationRetriever(), Backchannel); } } - - if (Options.CacheNonces && Options.NonceCache == null) - { - // Use the global distributed cache if the user has not provided his own instance. - // Note: GetRequiredService will throw an exception if caching services have not been registered. - Options.NonceCache = services.GetRequiredService(); - } } protected HttpClient Backchannel { get; private set; } diff --git a/src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectOptions.cs b/src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectOptions.cs index 2cdec8f4c1..03be470999 100644 --- a/src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectOptions.cs +++ b/src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectOptions.cs @@ -9,7 +9,6 @@ using System.IdentityModel.Tokens.Jwt; using System.Net.Http; using Microsoft.AspNet.Http; using Microsoft.AspNet.Http.Authentication; -using Microsoft.Framework.Caching.Distributed; using Microsoft.Framework.WebEncoders; using Microsoft.IdentityModel.Protocols; using Microsoft.IdentityModel.Protocols.OpenIdConnect; @@ -133,19 +132,6 @@ namespace Microsoft.AspNet.Authentication.OpenIdConnect /// public string MetadataAddress { get; set; } - /// - /// The OpenIdConnect protocol http://openid.net/specs/openid-connect-core-1_0.html - /// recommends adding a nonce to a request as a mitigation against replay attacks when requesting id_tokens. - /// By default the runtime uses cookies with unique names generated from a hash of the nonce. - /// - public IDistributedCache NonceCache { get; set; } - - /// - /// Gets or sets the value indicating whether nonces should be stored in the distributed cache or not. - /// The default value, false, is used to store nonces in client cookies. - /// - public bool CacheNonces { get; set; } - /// /// Gets or sets the to notify when processing OpenIdConnect messages. /// diff --git a/src/Microsoft.AspNet.Authentication.OpenIdConnect/project.json b/src/Microsoft.AspNet.Authentication.OpenIdConnect/project.json index 597b3d5513..c81a8d085b 100644 --- a/src/Microsoft.AspNet.Authentication.OpenIdConnect/project.json +++ b/src/Microsoft.AspNet.Authentication.OpenIdConnect/project.json @@ -7,7 +7,6 @@ }, "dependencies": { "Microsoft.AspNet.Authentication": "1.0.0-*", - "Microsoft.Framework.Caching.Abstractions": "1.0.0-*", "Microsoft.Framework.NotNullAttribute.Sources": { "type": "build", "version": "1.0.0-*" }, "Microsoft.IdentityModel.Protocols.OpenIdConnect": "2.0.0-beta7-*" },